Encrypted memory. User-held keys. Zero-retention inference. Agent runtime. All in a single TypeScript SDK — so you can ship a private AI product without building six systems first.
Open-core · MIT licensed · Hosted on krava.ai
Passkey authentication. Client-side cryptography. Encrypted vector storage.
TEE-routed inference. Capability-based access control. Tamper-evident audit logs.
Get any one wrong and the privacy guarantee breaks.
Build all six yourself and you've spent a quarter not shipping your product.
Krava is those six systems, packaged as an SDK drop-in.
// 01
Every API call routes through Krava's encrypted proxy. Your agent never touches a model API key directly — even if the container is compromised.
// 02
User data is encrypted client-side before it reaches storage. The key lives with the user. Krava cannot read it. Neither can law enforcement with a subpoena.
// 03
For sensitive workloads, inference runs inside NVIDIA hardware enclaves (TEEs). The GPU operator cannot see the data in memory during processing. Not a policy. A hardware guarantee.
Two entry points. Same privacy guarantee underneath.
You define the persona. Krava provides the encrypted substrate. Streamed conversations with user-keyed encrypted memory and zero-retention TEE inference — behind a single SDK call.
import { createPrivyClient } from '@krava/sdk'
const krava = createPrivyClient({
appKey: process.env.KRAVA_APP_KEY
})
// Provision a user — returns encrypted userToken
const { userToken } = await krava.provisionUser({
externalUserId: user.id
})
// That's it. Encrypted memory,
// passkey identity, zero-retention inference.Provision a per-user agent pod in a zero-trust environment. Built-in tools: web search, email, calendar, Telegram. Each user gets their own containerized runtime — not a shared service.
// Spin up an autonomous agent for this user
const agent = await krava.provisionAgent({
userToken,
region: 'eu', // GDPR-aligned by default
tools: ['search', 'email', 'calendar']
})
// Agent runs in an isolated container.
// All inference routes through Krava's proxy.
// Agent never holds an API key.
await agent.start()step_01 — register
You get an appKey. Keep it server-side. Never expose it to the browser.
step_02 — provision
Call Krava from your server with the appKey. Each user gets a userToken — a time-limited credential safe to pass to the browser.
step_03 — ship
Your frontend calls Krava with the userToken. Every user now has encrypted memory, passkey identity, and model-agnostic inference.
"The security model is Stripe's: a server-side secret key that never touches the browser, and a client-safe token for everything downstream."
Four cryptographic guarantees. Each independent. All running together.
No username. No password. No email. Users authenticate with Face ID or Touch ID via WebAuthn. Their cryptographic handle is a hash — Krava stores it, but cannot reverse it to a real identity. Even under legal compulsion.
Every memory item is encrypted with a key derived from the user's authentication token — 100,000 rounds of PBKDF2, per-user salt, per-message nonce. The ciphertext reaches the database. The key never does.
For sensitive workloads, inference runs inside NVIDIA H100/H200 Trusted Execution Environments. The GPU operator cannot read data in memory during processing. SOC 2 Type II. Open-source stack — cryptographically verifiable, not just auditable.
Route to Anthropic, OpenAI, Fireworks, or self-hosted models — based on task sensitivity, cost, and capability. Sensitive tasks go to Tinfoil; general tasks use commercial APIs. Users and developers are never locked to a single provider.
Before asking other developers to trust this infrastructure, we built two real products on top of it.
The private AI for senior leaders.
A coaching product for executives and founders working through sensitive decisions — board dynamics, layoffs, fundraising, co-founder conflict — where existing options all fail the privacy bar.
Krava Coach runs entirely on the SDK: passkey login, encrypted conversation memory, TEE inference for the highest-sensitivity sessions, and three coaching modes (Vent · Decision Lab · Reframe & Reset). It has paying subscribers.
Every feature a developer could build is visible and documented in the open-source repository.
A private AI agent that lives in Telegram.
An autonomous AI assistant — model-agnostic, Telegram-native, capable of multi-step work (research, drafting, inbox triage, meeting prep, decision support) — where the user holds the keys to everything the agent knows about them.
Each user gets their own containerized agent instance. The agent never holds an API key. All inference routes through Krava's encrypted proxy.
This is what an AI agent looks like when it is architecturally incapable of leaking — not just contractually prohibited.
Open-core: self-host forever, free. Hosted: managed gateway, usage-based.
open_source
Free
Forever. No limits.
MIT Licensedhosted
Usage-based
Per call · per item · per pod-hour
HACKATHON2026 — Free provisioningenterprise
Custom
Regulated verticals · dedicated infra
AI agents will touch more sensitive data in the next two years than every enterprise SaaS system of the last decade. The model companies are not going to solve this — it is architecturally opposed to their interests.
Krava is infrastructure for developers who want to build agents that are incapable of leaking — not just contractually prohibited.
The privacy story is real today. The keys are yours. The code is open.